[throwaway-mitm]

I have first-hand knowledge about how Comcast's content injection happens. (they'd prefer to call it "User Messaging") I'm sure you'll find the same ability from several ISPs because they all purchased a network appliance that does the content injection.

One question people are asking here: does it work over HTTPS. No it does't work over HTTPS, but if the page requests content via HTTP it is possible.

Interestingly enough, the technique is very similar to what Edward Snowden revealed as Quantum Insert, where HTTP requests monitored by the ISP and are intercepted and another web server (the network appliance in question) is able to respond more quickly. It starts with a very fast response that leads to a 302 redirect. The network appliance will then serve up a modified version of a file (usually a JS asset). The injected JS will then query the network appliance for "messages" and show them if the user is "eligible" to receive them.

[syntheticcorp]

Could you elaborate on this a bit please?

What is the appliance called? Do all HTTP requests flow through it and anything else bypasses it? Does it store or log any of the requests or responses?

[throwaway-mitm]

I'm hesitant to name the device, because thus far the company who makes it has escaped scrutiny, and I'm not the one who's going to change that right now. There was an Ars Technica article a few years ago that made reference to Xfinity doing this to notify people that they were using a hotspot. They had a follow-up article that nobody read where they pointed to the company that made the device, but they slightly misidentified them. Mostly people were upset at Comcast. The appliance is used at Cox, Shaw, and many other major ISPs all over the world: Europe, Latin America, The Middle East, Asia. There are basically two major companies operating in this space, as far as I know.

It is capable of monitoring ALL http requests, which is only about <5% of traffic going through an ISP. The more traffic you have, the more devices you need, but one can take care of a LOT of traffic, and I believe it can run as a VM. I'm not sure how it works as a VM exactly, because it also contains a custom Ethernet driver.

The same device directs people to the captive portal (if i'm not mistaken) used for logging into xfinity, or other public wifi from other providers.

Because performance is a high priority, the logging is minimal, but it keeps track of who's been served a message and doesn't collect any PII. The device is capable of serving any content, even causing a request from a third-party. So, it's possible that the content that gets ultimately injected is able to do whatever... anything a malicious advertisement would be capable of doing.

Your message eligibility is highly configurable, and can include metrics such as whether you visit certain sites, and possibly even your physical location.

There's a couple phases. First the network appliance injects so light code, using the Man-On-The-Side 302 redirect method. Once that's done, the injected code is probably going to request additional content after checking if you qualify for a message.

[throwaway-mitm]

https://arstechnica.com/tech-policy/2014/09/why-comcasts-jav...

[syntheticcorp]

OK, thanks for providing those details. Thankfully I've not encountered this anywhere before in Australasia.

[xtat]

Can I ask why you would protect the company behind the devices?

[throwaway-mitm]

All the information a person could want is available if you know where to look. I'm providing well-documented information. If more information becomes public I can talk about it, otherwise, I simply can't. Let's just leave it at that.

[grepsedawk]

Is this the same DPI device that snoops on DNS to shape bandwidth?

[throwaway-mitm]

No. AFAIK it doesn't do any DPI. It's only for user messaging (content injection).

[throwaway-mitm]

That's all for this throwaway... Logging off forever!